I'm more looking for comfirmation of whether I'm doing this right or wrong. This is the scenario:
I'm hosting an AngularJS app in an ASP.NET MVC application. Using the MVC part I communicate with IdentityServer to log in, and once I do this I take the access_token from OWIN's OpenIdConnect validation notification and create a Cookie with it's value, which I then get in AngularJS with the $cookieStore object to use for my requests.
Admittedly, security is by far my weakest link, so my question is whether the above scenario is safe or am I violating some sort of security rule that would allow someone to find a hole in security?
Your question is kind of hard to answer, since we can't confirm what you are going to do in the future. Generally you are on the right path, but security is hard, so you should know when to let others do it.
IdentityServer v3 is a great start though.
Take a look at the samples, specifically the JavaScriptImplicitClient from here: https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/tree/26293649324783cd5c6bbfe0dbb9e83c6df826fc/source/Clients
A nice article on Angular and WebAPI here as well: http://www.codeproject.com/Articles/784106/AngularJS-Token-Authentication-using-ASP-NET-Web-A
Have fun!